President Obama's Executive Order on cybersecurity, released in February, prods the executive arm of the federal government to use its existing powers to establish a cybersecurity baseline. The fastest way to do that, under existing law, is to place cybersecurity requirements on organizations that are deemed part of the nation's "critical infrastructure."

The current definition of critical infrastructure encompasses power plants, chemical facilities, communications networks, bridges, highways, stadiums, and governmental buildings. Because this definition focuses on physical security, a special working group was formed under the auspices of the U.S. Department of Homeland Security to better define what constitutes critical infrastructure in cybersecurity.

But, to be effective, the definition must expand to reflect a world in which network connectivity increases every day. The recent ATM heist where hackers managed to steal $45 million demonstrates how cybersecurity failures along the chain of interconnectivity can result in a devastatingly successful and profitable cyberattack.

Put simply, we are not protected when the organizations currently identified as part of the critical infrastructure are given a cybersecurity baseline. Those organizations, through their networks, are connected to the rest of the American economy. And most of those companies don't meet the definition.

A failure at one unprotected company can quickly lead to a massive cybersecurity problem for any company linked to its systems. Effective cybersecurity recognizes this domino effect. It's time to think about our entire economy as critical infrastructure.What stands in the way of establishing a nationwide cybersecurity baseline? The usual suspects—politics that interfere with bills getting through Congress and governmental agency in-fighting. But the biggest practical challenge is that even the best, most comprehensive cybersecurity protocols can't offer 100 percent security.

If cyberattackers are hell-bent on breaking into your systems, with enough effort, money, and persistence, they can succeed. In the face of competing internal priorities for funds, many organizations decide that, since they cannot guarantee absolute protection from hacking, dedicating significant resources to cybersecurity controls does not make sense.

But establishing reasonable cybersecurity controls and monitoring protocols can go a long way toward reducing the likelihood of a cyberattack. Given the sensitive nature of information that can be available to individual networks and the staggering number of citizens affected, that is no small thing. In addition, a good cybersecurity program helps companies spot a cyberattack much earlier, offering a critical opportunity to minimize the amount of data that is compromised.

In this kind of situation—where private and public entities have the opportunity to reduce the likelihood of a cyberattack, but often decide against spending the money to protect themselves—government regulation (including the ability to enforce and penalize) is necessary and appropriate.